[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#790943: Root and local certificate location clash

severity 790943 normal

On Friday 03 July 2015 10:56:54, Daniel Pocock wrote:
> I've marked this bug serious because it could lead to security
> problems if people mix root certs and other certs in the same
> directory

The certificates generated by make-ssl-cert all have "X509v3 Basic 
Constraints: CA:FALSE". Any program that accepts such certificates as 
trusted root certificate already has a serious security problem. 
Therefore I don't think the policy of make-ssl-cert to put certs into 
/etc/ssl/certs creates additional security issues. I am downgrading 
the bug accordingly.

I am not really against putting server and ca certificate into 
separate directories. But some Debian-wide default would be nice, of 
course. Maybe we can discuss that at Debconf?

Reply to: